# Large HW Swings

Supported setups:

SCOPES:

* OPENADC
* CWNANO

PLATFORMS:

* CWLITEARM
* CWLITEXMEGA
* CWNANO

In [None]:
SCOPETYPE = 'OPENADC'
PLATFORM = 'CWLITEARM'
CRYPTO_TARGET = 'TINYAES128C'
num_traces = 50

In [None]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../hardware/victims/firmware/simpleserial-aes
make PLATFORM=$1 CRYPTO_TARGET=$2

## Data Tracing Theory

In the last tutorial, we saw how the power measurement of a device is related to the Hamming weight. Let's use this to see where some arbitrary data is processed by a device. We'll later expand on this to perform a test that also takes into account noise.

Our objective is simple - we'll send in some data with all 1's in one location, and then some data with all 0's.

## Capturing Power Traces

Capturing power traces will be very similar to previous tutorials, except this time we'll be using a loop to capture multiple traces, as well as numpy to store them.

### Setup

We'll use some helper scripts to make setup and programming easier. If you're using an XMEGA or STM (CWLITEARM) target, binaries with the correct should be setup for you:

In [None]:
%run "Helper_Scripts/Setup_Generic.ipynb"

In [None]:
fw_path = '../hardware/victims/firmware/simpleserial-aes/simpleserial-aes-{}.hex'.format(PLATFORM)

In [None]:
# program the target
cw.program_target(scope, prog, fw_path)

### Capturing Traces

Below you can see the capture loop. The main body of the loop loads some new plaintext, arms the scope, sends the key and plaintext, then finally records and appends our new trace to the `traces[]` list. At the end, we convert the trace data to numpy arrays, since that's what we'll be using for analysis.

In [None]:
#Capture Traces
from tqdm import tnrange
import numpy as np
import time

ktp = cw.ktp.Basic()

traces = []

for i in tnrange(num_traces, desc='Capturing traces'):
    key, text = ktp.next()
    
    #Currently ALL bits are random. Let's extend bit 0 to a full byte to give us a random 0xFF or 0x00
    if text[0] & 0x01:
        text[0] = 0xFF
    else:
        text[0] = 0x00
    
    trace = cw.capture_trace(scope, target, text, key)
    if trace is None:
        continue
    traces.append(trace)

Now that we have our traces, we can also plot them using Bokeh:

In [None]:
from bokeh.plotting import figure, show
from bokeh.io import output_notebook

output_notebook()
p = figure()

xrange = range(len(traces[0].wave))
p.line(xrange, traces[2].wave, line_color="red")
show(p)

In [None]:
# cleanup the connection to the target and scope
scope.dis()
target.dis()

## Trace Analysis

### Comparing 0xFF to 0x00

Now that we have some traces, let's look at what we've actually recorded. We'll be doing the following tasks:

1. Seperate traces into two groups: 0x00, and 0xFF
1. Make an average of each group.
1. Subtract the two averages and see the difference.

This will be shown in the following two cells. Note the number of 0xFF and 0x00 isn't exactly 50/50. That is why we need to ensure we average them.

In [None]:
from bokeh.plotting import figure, show
from bokeh.io import output_notebook
import numpy as np

output_notebook()
p = figure()

one_list = []
zero_list = []

for trace in traces:
    if trace.textin[0] == 0x00:
        one_list.append(trace.wave)
    else:
        zero_list.append(trace.wave)

print("Number of 0xFF: " + str(len(one_list)))
print("Number of 0x00: " + str(len(zero_list)))

In [None]:
one_avg = np.asarray(one_list).mean(axis=0)
zero_avg = np.asarray(zero_list).mean(axis=0)

diff = one_avg - zero_avg

p.line(range(0, len(traces[0].wave)), diff)

show(p)

Notice the large spike as the data is handled. You could also try some of the following if you have time:

* Force the OUTPUT data to all 0xFFs or all 0x00s
* Force some intermediate value of 0xFFs or all 0x00s
* Set multiple bytes to 0xFF vs 0x00
* Plot each byte in sequence to see the data movement

## Tests

In [None]:
assert (max(abs(diff)) > 0.01), "Low max difference of {} between 0x00 and 0xFF".format(max(abs(diff)))